Lawmakers Seek Input On Addressing Open-Source Software Vulnerabilities

House Energy and Commerce Committee leadership is seeking input from the head of the Linux foundation on how to better secure systems using open-source software (OSS) from known vulnerabilities.

Rep. Greg Walden (R-Ore.), committee chairman, and Rep. Gregg Harper (R-Miss.), oversight subcommittee chairman, sent a letter to Linux Monday calling for information on the “Heartbleed” vulnerability, which allows hackers to steal sensitive data stored on OSS-based websites.CAPITOL

“OSS is such a foundational part of the modern connected world that is has become critical cyber infrastructure. As we continue to examine cyber security issues generally, it is therefore imperative that we understand the challenges and opportunities the OSS ecosystem faces, and potential steps that OSS stakeholders may take to further support it,” Walden and Harper wrote in their letter to Jim Zemlin, Linux Foundation’s executive director.

Linux oversees the Core Infrastructure Initiative (CII), which funds efforts to protect and secure vulnerable OSS systems.

OSS provides companies easier access to transport-layer encryption, network time management and data storage but offers the potential for widespread vulnerability exploitation, like Heartbleed.

The Heartbleed vulnerability was discovered in April 2014, but is still potentially affecting systems and allowing for the theft of sensitive data in systems that have gone unpatched.

“While the extent of OSS adoption clearly demonstrates the value that the ecosystem provides, its pervasiveness also creates widespread, distributed and common points of potential risk across organizations when OSS vulnerabilities are found,” Walden and Harper wrote.

CII was created following the disclosure of Heartbleed, and Walden and Harper want Zemlin to assist in figuring out how to mitigate ongoing vulnerabilities that may exist in systems running software not made by companies like Microsoft [MSFT] or Apple [AAPL].

Specifically, the committee leadership wants to know how CII performs their OSS studies, which cyber infrastructure pieces need the most critical protection, the level of current OSS usage and where the greatest vulnerabilities still exist.

“The committee appreciates the work that the CII, its sponsors and the various projects and developers that it supports have accomplished,” the lawmakers wrote.





More Stories You Might Like